我正试图在我的控制器中创建一个before_action,这样只有帐户上的成员(用户(才能查看和编辑与帐户相关的内容。目前,如果我在浏览器上更改URL,我可以查看和编辑用户不是会员的帐户。
这是我的讨论_控制者:
class DiscussionsController < ApplicationController
before_action :set_discussion, only: [:show, :edit, :update, :destroy]
before_action :authenticate_user!
# GET /discussions
def index
@newactivitys = Newactivity.all.order(created_at: :desc).limit(6)
@pagy, @discussions = pagy(Discussion.joins(:posts).group('discussions.id').order('MAX(posts.created_at) DESC'))
end
# GET /discussions/1
def show
@newactivitys = Newactivity.all.order(created_at: :desc).limit(6)
end
# GET /discussions/new
def new
@discussion = Discussion.new
@discussion.posts.new
@newactivitys = Newactivity.all.order(created_at: :desc).limit(6)
end
# GET /discussions/1/edit
def edit
@newactivitys = Newactivity.all.order(created_at: :desc).limit(6)
end
# POST /discussions
def create
@newactivitys = Newactivity.all.order(created_at: :desc).limit(6)
@discussion = Discussion.new(discussion_params)
@discussion.posts.each{ |post| post.user = current_user }
if @discussion.save
redirect_to @discussion, notice: 'Discussion was successfully created.'
else
render :new
end
end
# PATCH/PUT /discussions/1
def update
if @discussion.update(discussion_params)
redirect_to @discussion, notice: 'Discussion was successfully updated.'
else
render :edit
end
end
# DELETE /discussions/1
def destroy
@discussion.destroy
redirect_to discussions_url, notice: 'Discussion was successfully destroyed.'
end
private
# Use callbacks to share common setup or constraints between actions.
def set_discussion
@discussion = current_account.discussions.find(params[:id])
end
# Only allow a trusted parameter "white list" through.
def discussion_params
params.require(:discussion).permit(:account_id, :user_id, :channel_id, :channel_name, :title, posts_attributes: [:body])
end
end
和我的模特:用户
class User < ApplicationRecord
include ActionText::Attachable
# Include default devise modules. Others available are:
# :lockable, :timeoutable, andle :trackable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :validatable,
:confirmable, :invitable, :masqueradable,
:omniauthable
include UserAgreements, UserAccounts
has_person_name
include PgSearch::Model
pg_search_scope :search_by_full_name, against: [:first_name, :last_name], using: { tsearch: { prefix: true } }
# ActiveStorage Associations
has_one_attached :avatar
# Associations
has_many :api_tokens, dependent: :destroy
has_many :connected_accounts, dependent: :destroy
has_many :discussions
has_many :posts
has_many :channels
has_many :newactivitys, foreign_key: :recipient_id
# We don't need users to confirm their email address on create,
# just when they change it
before_create :skip_confirmation!
# Validations
validates :name, presence: true
end
讨论:
class Discussion < ApplicationRecord
acts_as_tenant :account
belongs_to :account
has_many :posts, dependent: :destroy
has_many :users, through: :posts
belongs_to :channel
scope :sorted, ->{ order(updated_at: :desc) }
validates :title, presence: true
accepts_nested_attributes_for :posts
end
账户:
class Account < ApplicationRecord
include Pay::Billable
belongs_to :owner, class_name: "User"
has_many :account_invitations, dependent: :destroy
has_many :account_users, dependent: :destroy
has_many :users, through: :account_users
has_one_attached :logo
scope :personal, ->{ where(personal: true) }
scope :impersonal, ->{ where(personal: false) }
has_one_attached :avatar
validates :name, presence: true
def email
account_users.includes(:user).order(created_at: :asc).first.user.email
end
def personal_account_for?(user)
personal? && owner_id == user.id
end
end
谢谢!
这是因为你不限制访问,在控制器中创建新的操作:
def restrict_access
redirect_to root_path unless current_account.present? && current_account.discussions.pluck(:id).include?(params[:id])
end
并称之为行动前的第一位:
before_action :restrict_access
当然,你可以做任何你想做的事,而不是重定向。也可以更改条件,使其成为的成员。